Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add test for CA migration to container #4778

Merged
merged 1 commit into from
Jun 12, 2024
Merged

Add test for CA migration to container #4778

merged 1 commit into from
Jun 12, 2024

Conversation

edewata
Copy link
Contributor

@edewata edewata commented Jun 11, 2024

A new test has been added to migrate CA from a regular PKI server (i.e. pki-tomcatd) into a Podman container running as systemd service. The container will use PKI server's existing config and log folders.

The container startup scripts have been modified to use the standard CSR filenames for OCSP signing and audit signing certs so that the container can find the existing CSRs in the migrated config folder. The default nicknames have also been updated for consistency.

https://github.com/dogtagpki/pki/wiki/Deploying-CA-on-Podman
https://github.com/dogtagpki/pki/wiki/Deploying-KRA-on-Podman
https://github.com/dogtagpki/pki/wiki/Deploying-OCSP-on-Podman

@edewata
Add test for CA migration to container
8508a2c 
A new test has been added to migrate CA from a regular PKI
server (i.e. pki-tomcatd) into a Podman container running as
systemd service. The container will use PKI server's existing
config and log folders.

The container startup scripts have been modified to use the
standard CSR filenames for OCSP signing and audit signing
certs so that the container can find the existing CSRs in the
migrated config folder. The default nicknames have also been
updated for consistency.
@edewata edewata requested a review from fmarco76 June 11, 2024 20:12
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Jun 11, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
14.9% Duplication on New Code

See analysis details on SonarCloud

@edewata
Copy link
Contributor Author

edewata commented Jun 11, 2024

@fmarco76 We had a discussion about this in PR #4763. This test shows that the container can use the existing /etc/pki/<instance> and /var/log/pki/<instance> folders, but should we require the admin to move these folders into pkiuser's home directory to create a proper rootless container? We need to consider what to do with /var/lib/pki/<instance> folder too.

fmarco76
fmarco76 approved these changes Jun 12, 2024
View reviewed changes
Copy link
Member

@fmarco76 fmarco76 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@fmarco76
Copy link
Member

@fmarco76 We had a discussion about this in PR #4763. This test shows that the container can use the existing /etc/pki/<instance> and /var/log/pki/<instance> folders, but should we require the admin to move these folders into pkiuser's home directory to create a proper rootless container? We need to consider what to do with /var/lib/pki/<instance> folder too.

Does /var/lib/pki/<instance> keep any usage after migrating to the container? IIUC this could be removed.
For moving everything to the home folder not sure, the only requirement is to be accessible by pkiuser but keep the current location could be a mess in some cases. If there are no other options then we can move everything to the pkiuser home.

@edewata
Copy link
Contributor Author

edewata commented Jun 12, 2024

@fmarco76 Thanks!

The /var/lib/pki/<instance> is used as CATALINA_BASE for Tomcat and right now there are references to it in CS.cfg (which we should remove). However, in this case the /var/lib/pki/<instance> folder in the host is no longer needed since the container has its own /var/lib/pki/<instance>. I'll see if I can clean it up in a separate PR.

@edewata edewata merged commit 97dfad4 into dogtagpki:master Jun 12, 2024
145 of 153 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fmarco76 fmarco76 fmarco76 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@edewata @fmarco76